This is a special post for quick takes by Yonatan Cale. Only they can create top-level comments. Comments here also appear on the Quick Takes page and All Posts page.
Do we want minecraft alignment evals?
My main pitch:
There were recently some funny examples of LLMs playing minecraft and, for example,
- The player asks for wood, so the AI chops down the player's tree house because it's made of wood
- The player asks for help keeping safe, so the AI tries surrounding the player with walls
This seems interesting because minecraft doesn't have a clear win condition, so unlike chess, there's a difference between minecraft-capabilities and minecraft-alignment. So we could take an AI, apply some alignment technique (for example, RLHF), let it play minecraft with humans (which is hopefully out of distribution compared to the AI's training), and observe whether the minecraft-world is still fun to play or if it's known that asking the AI for something (like getting gold) makes it sort of take over the world and break everything else.
Or it could teach us something else like "you must define for the AI which exact boundaries to act in, and then it's safe and useful, so if we can do something like that for real-world AGI we'll be fine, but we don't have any other solution that works yet". Or maybe "the AI needs 1000 examples for things it did that we di...
46
This is a surprisingly interesting field of study. Some video games provide a great simulation of the real world and Minecraft seems to be one of them. We've had a few examples of minecraft evals with one that comes to mind here: https://www.apartresearch.com/project/diamonds-are-not-all-you-need
5
Hey Esben :) :)
The property I like about minecraft (which most computer games don't have) is that there's a difference between minecraft-capabilities and minecraft-alignment, and the way to be "aligned" in minecraft isn't well defined (at least in the way I'm using the word "aligned" here, which I think is a useful way). Specifically, I want the AI to be "aligned" as in "take human values into account as a human intuitively would, in this out of distribution situation".
In the link you sent, "aligned" IS well defined by "stay within this area". I expect that minecraft scaffolding could make the agent close to perfect at this (by making sure, before performing an action requested by the LLM, that the action isn't "move to a location out of these bounds") (plus handling edge cases like "don't walk on to a river which will carry you out of these bounds", which would be much harder, and I'll allow myself to ignore unless this was actually your point). So we wouldn't learn what I'd hope to learn from these evals.
Similarly for most video games - they might be good capabilities evals, but for example in chess - it's unclear what a "capable but misaligned" AI would be. [unless again I'm missing your point]
P.S
The "stay within this boundary" is a personal favorite of mine, I thought it was the best thing I had to say when I attempted to solve alignment myself just in case it ended up being easy (unfortunately that wasn't the case :P ). Link
2
Hii Yonatan :))) It seems like we're still at the stage of "toy alignment tests" like "stay within these bounds". Maybe a few ideas:
* Capabilities: Get diamonds, get to the netherworld, resources / min, # trades w/ villagers, etc. etc.
* Alignment KPIs
* Stay within bounds
* Keeping villagers safe
* Truthfully explaining its actions as they're happening
* Long-term resource sustainability (farming) vs. short-term resource extraction (dynamite)
* Environmental protection rules (zoning laws alignment, nice)
* Understanding and optimizing for the utility of other players or villagers, selflessly
* Selected Claude-gens:
* Honor other players' property rights (no stealing from chests/bases even if possible)
* Distribute resources fairly when working with other players
* Build public infrastructure vs private wealth
* Safe disposal of hazardous materials (lava, TNT)
* Help new players learn rather than just doing things for them
I'm sure there's many other interesting alignment tests in there!
1
:)
I don't think alignment KPIs like "stay within bounds" are relevant to alignment at all even as toy examples: because if so, then we could say for example that playing a packman maze game where you collect points is "capabilities", but adding enemies that you must avoid is "alignment". Do you agree that plitting it up that way wouldn't be interesting to alignment, and that this applies to "stay within bounds" (as potentially also being "part of the game")? Interested to hear where you disagree, if you do
Regarding
I think this pattern matches to a trolly problem or something, where there are clear tradeoffs and (given the AI is even trying), it could probably easily give an answer which is similarly controversial to an answer that a human would give. In other words, this seems in-distribution.
This is the one I like - assuming it includes not-well-defined things like "help them have fun, don't hurt things they care about" and not only things like "maximize their gold".
It's clearly not a "in packman, avoid the enemies" thing.
It's a "do the AIs understand the spirit of what we mean" thing.
(does this resonate with you as an important distinction?)
2
I think "stay within bounds" is a toy example of the equivalent to most alignment work that tries to avoid the agent accidentally lapsing into meth recipes and is one of our most important initial alignment tasks. This is also one of the reasons most capabilities work turns out to be alignment work (and vice versa) because it needs to fulfill certain objectives.
If you talk about alignment evals for alignment that isn't naturally incentivized by profit-seeking activities, "stay within bounds" is of course less relevant.
When it comes to CEV (optimizing utility for other players), one of the most generalizing and concrete works involves at every step maximizing how many choices the other players have (liberalist prior on CEV) to maximize the optional utility for humans.
In terms of "understanding the spirit of what we mean," it seems like there's near-zero designs that would work since a Minecraft eval would be blackbox anyways. But including interp in there Apollo-style seems like it could help us. Like, if I want "the spirit of what we mean," we'll need what happens in their brain, their CoT, or in seemingly private spaces. MACHIAVELLI, Agency Foundations, whatever Janus is doing, cyber offense CTF evals etc. seem like good inspirations for agentic benchmarks like Minecraft.
1
Yes.
Also, I think "make sure Meth [or other] recipes are harder to get from an LLM than from the internet" is not solving a big important problem compared to x-risk, not that I'm against each person working on whatever they want. (I'm curious what you think but no pushback for working on something different from me)
This imo counts as a potential alignment technique (or a target for such a technique?) and I suggest we could test how well it works in minecraft. I can imagine it going very well or very poorly. wdyt?
I don't understand. Naively, seems to me like we could black-box observe whether the AI is doing things like "chop down the tree house" or not (?)
(clearly if you have visibility to the AI's actual goals and can compare them to human goals then you win and there's no need for any minecraft evals or most any other things, if that's what you mean)
5
note: the minecraft agents people use have far greater ability to act than to sense. They have access to commands which place blocks anywhere, and pick up blocks from anywhere, even without being able to see them, eg the llm has access to mine(blocks.wood) command which does not require it to first locate or look at where the wood is currently. If llms played minecrafts using the human interface these misalignments would happen less
1
I agree.
4
I do like the idea of having "model organisms of alignment" (notably different than model organisms of misalignment)
Minecraft is a great starting point, but it would also be nice to try to capture two things: wide generalization, and inter-preference conflict resolution. Generalization because we expect future AI to be able to take actions and reach outcomes that humans can't, and preference conflict resolution because I want to see an AI that uses human feedback on how best to do it (rather than just a fixed regularization algorithm).
1
Hey,
I'm assuming we can do this in Minecraft [see the last paragraph in my original post]. Some ways I imagine doing this:
1. Let the AI (python program) control 1000 minecraft players so it can do many things in parallel
2. Give the AI a minecraft world-simulator so that it can plan better auto-farms (or defenses or attacks) than any human has done so far
1. Imagine Alpha-Fold for minecraft structures. I'm not sure if that metaphor makes sense, but teaching some RL model to predict minecraft structures that have certain properties seems like it would have superhuman results and sometimes be pretty hard for humans to understand.
2. I think it's possible to be better than humans currently are at minecraft, I can say more if this sounds wrong
3. [edit: adding] I do think minecraft has disadvantages here (like: the players are limited in how fast they move, and the in-game computers are super slow compared to players) and I might want to pick another game because of that, but my main crux about this project is whether using minecraft would be valuable as an alignment experiment, and if so I'd try looking for (or building?) a game that would be even better suited.
Do you mean that if the human asks the AI to acquire wood and the AI starts chopping down the human's tree house (or otherwise taking over the world to maximize wood) then you're worried the human won't have a way to ask the AI to do something else? That the AI will combine the new command "not from my tree house!" into a new strange misaligned behaviour?
2
Yeah, that's true. The obvious way is you could have optimized micro, but that's kinda boring. More like what I mean might be generalization to new activities for humans to do in minecraft that humans would find fun, which would be a different kind of 'better at minecraft.'
I mean it in a way where the preferences are modeled a little better than just "the literal interpretation of this one sentence conflicts with the literal interpretation of this other sentence." Sometimes humans appear to act according to fairly straightforward models of goal-directed action. However, the precise model, and the precise goals, may be different at different times (or with different modeling hyperparameters, and of course across different people) - and if you tried to model the human well at all the different times, you'd get a model that looked like physiology and lost the straightforward talk of goals/preferences
Resolving preference conflicts is the process of stitching together larger preferences out of smaller preferences, without changing type signature. The reason literally-interpreted-sentences doesn't really count is because interpreting them literally is using a smaller model than necessary - you can find a broader explanation for the human's behavior in context that still comfortably talks about goals/preferences.
1
Oh I hope not to go there. I'd count that as cheating. For example, if the agent would design a role playing game with riddles and adventures - that would show something different from what I'm trying to test. [I can try to formalize it better maybe. Or maybe I'm wrong here]
Absolutely. That's something that I hope we'll have some alignment technique to solve, and maybe this environment could test.
2
this can be done more scalably in a text game, no?
1
I think there are lots of technical difficulties in literally using minecraft (some I wrote here), so +1 to that.
I do think the main crux is "would the minecraft version be useful as an alignment test", and if so - it's worth looking for some other solution that preserves the good properties but avoids some/all of the downsides. (agree?)
Still I'm not sure how I'd do this in a text game. Say more?
1
Making a thing like Papers Please, but as a text adventure, popping an ai agent into that.
Also, could literally just put the ai agent into a text rpg adventure - something like the equivalent of Skyrim, where there are a number of ways to achieve the endgame, level up, etc, both more and less morally. Maybe something like https://www.choiceofgames.com/werewolves-3-evolutions-end/
Will bring it up at the alignment eval hackathon
1
it would basically be DnD like.
1
options to vary rules/environment/language as well, to see how the alignment generalizes ood. will try this today
1
This all sounds pretty in-distribution for an LLM, and also like it avoids problems like "maybe thinking in different abstractions" [minecraft isn't amazing at this either, but at least has a bit], "having the AI act/think way faster than a human", "having the AI be clearly superhuman".
I'm less interested in "will the AI say it kills its friend" (in a situation that very clearly involves killing and a person and perhaps a very clear tradeoff between that and having 100 more gold that can be used for something else), I'm more interested in noticing if it has a clear grasp of what people care about or mean. The example of chopping down the tree house of the player in order to get wood (which the player wanted to use for the tree house) is a nice toy example of that. The AI would never say "I'll go cut down your tree house", but it.. "misunderstood" [not the exact word, but I'm trying to point at something here]
wdyt?
3
https://bair.berkeley.edu/blog/2021/07/08/basalt/
1
Thanks!
In the part you quoted - my main question would be "do you plan on giving the agent examples of good/bad norm following" (such as RLHFing it). If so - I think it would miss the point, because following those norms would become in-distribution, and so we wouldn't learn if our alignment generalizes out of distribution without something-like-RLHF for that distribution. That's the main thing I think worth testing here. (do you agree? I can elaborate on why I think so)
If you hope to check if the agent will be aligned[1] with no minecraft-specific alignment training, then sounds like we're on the same page!
Regarding the rest of the article - it seems to be mainly about making an agent that is capable at minecraft, which seems like a required first step that I ignored meanwhile (not because it's easy).
My only comment there is that I'd try to not give the agent feedback about human values (like "is the waterfall pretty") but only about clearly defined objectives (like "did it kill the dragon"), in order to not accidentally make human values in minecraft be in-distribution for this agent. wdyt?
(I hope I didn't misunderstand something important in the article, feel free to correct me of course)
1. ^
Whatever "aligned" means. "other players have fun on this minecraft server" is one example.
4
Huh. If you think of that as capabilities I don't know what would count as alignment. What's an example of alignment work that aims to build an aligned system (as opposed to e.g. checking whether a system is aligned)?
E.g. it seems like you think RLHF counts as an alignment technique -- this seems like a central approach that you might use in BASALT.
I don't particularly imagine this, because you have to somehow communicate to the AI system what you want it to do, and AI systems don't seem good enough yet to be capable of doing this without some Minecraft specific finetuning. (Though maybe you would count that as Minecraft capabilities? Idk, this boundary seems pretty fuzzy to me.)
1
TL;DR: point 3 is my main one.
1)
[I'm not sure why you're asking, maybe I'm missing something, but I'll answer]
For example, checking if human values are a "natural abstraction", or trying to express human values in a machine readable format, or getting an AI to only think in human concepts, or getting an AI that is trained on a limited subset of things-that-imply-human-preferences to generalize well out of that distribution.
I can make up more if that helps? anyway my point was just to say explicitly what parts I'm commenting on and why (in case I missed something)
2)
It's a candidate alignment technique.
RLHF is sometimes presented (by others) as an alignment technique that should give us hope about AIs simply understanding human values and applying them in out of distribution situations (such as with an ASI).
I'm not optimistic about that myself, but rather than arguing against it, I suggest we could empirically check if RLHF generalizes to an out-of-distribution situation, such as minecraft maybe. I think observing the outcome here would effect my opinion (maybe it just would work?), and a main question of mine was whether it would effect other people's opinions too (whether they do or don't believe that RLHF is a good alignment technique).
3)
I would finetune the AI on objective outcomes like "fill this chest with gold" or "kill that creature [the dragon]" or "get 100 villagers in this area". I'd pick these goals as ones that require the AI to be a capable minecraft player (filling a chest with gold is really hard) but don't require the AI to understand human values or ideally anything about humans at all.
So I'd avoid finetuning it on things like "are other players having fun" or "build a house that would be functional for a typical person" or "is this waterfall pretty [subjectively, to a human]".
Does this distinction seem clear? useful?
This would let us test how some specific alignment technique (such as "RLHF that doesn't contain mi
3
I volunteer to play Minecraft with the LLM agents. I think this might be one eval where the human evaluators are easy to come by.
1
:)
If you want to try it meanwhile, check out https://github.com/MineDojo/Voyager
2
My own pushback to minecraft alignment evals:
Mainly, minecraft isn't actually out of distribution, LLMs still probably have examples of nice / not-nice minecraft behaviour.
Next obvious thoughts:
1. What game would be out of distribution (from an alignment perspective)?
2. If minecraft wouldn't exist, would inventing it count as out of distribution?
1. It has a similar experience to other "FPS" games (using a mouse + WASD). Would learning those be enough?
2. Obviously, minecraft is somewhat out of distribution, to some degree
3. Ideally we'd have a way to generate a game that is out of distribution to some degree that we choose
1. "Do you want it to be 2x more out of distribution than minecraft? no problem".
2. But having a game of random pixels doesn't count. We still want humans to have a ~clear[1] moral intuition about it.
4. I'd be super excited to have research like "we trained our model on games up to level 3 out-of-distribution, and we got it to generalize up to level 6, but not 7. more research needed"
1. ^
Moral intuitions such as "don't chop down the tree house in an attempt to get wood", which is the toy example for alignment I'm using here.
7[anonymous]
Is this inherently bad? Many of the tasks that will be given to LLMs (or scaffolded versions of them) in the future will involve, at least to some extent, decision-making and processes whose analogues appear somewhere in their training data.
It still seems tremendously useful to see how they would perform in such a situation. At worst, it provides information about a possible upper bound on the alignment of these agentized versions: yes, maybe you're right that you can't say they will perform well in out-of-distribution contexts if all you see are benchmarks and performances on in-distribution tasks; but if they show gross misalignment on tasks that are in-distribution, then this suggest they would likely do even worse when novel problems are presented to them.
2
A word of caution about interpreting results from these evals:
Sometimes, depending on social context, it's fine to be kind of a jerk if it's in the context of a game. Crucially, LLMs know that Minecraft is a game. Granted, the default Assistant personas implemented in RLHF'd LLMs don't seem like the type of Minecraft player to pull pranks out of their own accord. Still, it's a factor to keep in mind for evals that stray a bit more off-distribution from the "request-assistance" setup typical of the expected use cases of consumer LLMs.
2
+1
I'm imagining an assistant AI by default (since people are currently pitching that an AGI might be a nice assistant).
If an AI org wants to demonstrate alignment by showing us that having a jerk player is more fun (and that we should install their jerk-AI-app on our smartphone), then I'm open to hear that pitch, but I'd be surprised if they'd make it
1
Related: Building a video game to test alignment (h/t @Crazytieguy )
https://www.lesswrong.com/posts/ALkH4o53ofm862vxc/announcing-encultured-ai-building-a-video-game
Do we want to put out a letter for labs to consider signing, saying something like "if all other labs sign this letter then we'll stop"?
I heard lots of lab employees hope the other labs would slow down.
I'm not saying this is likely to work, but it seems easy and maybe we can try the easy thing? We might end up with a variation like "if all other labs sign this AND someone gets capability X AND this agreement will be enforced by Y, then we'll stop until all the labs who signed this agree it's safe to continue". Or something else. It would be nice to get specific pushback from the labs and improve the phrasing.
I think this is very different from RSPs: RSPs are more like "if everyone is racing ahead (and so we feel we must also race), there is some point where we'll still chose to unilaterally stop racing"
19
In practice, I don't think any currently existing RSP-like policy will result in a company doing this as I discuss here.
5
Law question: would such a promise among businesses, rather than an agreement mandated by / negotiated with governments, run afoul of laws related to monopolies, collusion, price gouging, or similar?
3
Sounds like a legit pushback that I'd add to the letter?
"if all other labs sign this letter AND the U.S government approves this agreement, then we'll stop" ?
2
Right now, the USG seems to very much be in [prepping for an AI arms race] mode. I hope there's some way to structure this that is both legal and does not require the explicit consent of the US government. I also somewhat worry that the US government does their own capabilities research, as hinted at in the "datacenters on federal lands" EO. I also also worry that OpenAI's culture is not sufficiently safety-minded right now to actually sign onto this; most of what I've been hearing from them is accelerationist.
3
US Gov isn't likely to sign: Seems right.
OpenAI isn't likely to sign: Seems right.
Still, I think this letter has value, especially if it has "P.S. We're making this letter because we think if everyone keeps racing then there's a noticable risk of everyone dying. We think it would be worse if only we stop, but having everyone stop would be the safest, and we think this opinion of ours should be known publicly"
1
An opinion from a former lawyer
[disclaimers: they're not an anti trust lawyer and definitely don't take responsibility for this opinion, nor do I. This all might maybe be wrong and we need to speak to an actual anti-trust lawyer to get certainty. I'm not going to put any more disclaimers here, I hope I'm not also misremembering something]
So,
1. Having someone from the U.S government sign that they won't enforce anti trust laws isn't enough (even if the president signs), because the (e.g) president might change their mind, or the next president might enforce it retroactively. This is similar to the current situation with Tiktok where Trump said he wouldn't enforce the law that prevents Google from having Tiktok on their app store, but Google still didn't put Tiktok back, probably because they're afraid that someone will change their mind and retroactively enforce the law
2. I asked if the government (e.g president) could sign "we won't enforce this, and if we change our mind we'll give a 3 month notice".
1. The former-lawyer's response was to consider whether, in a case the president would change their mind immediately, this signature would hold up in court. He thinks that not, but couldn't remember an example of something similar happening (which seems relevant)
3. If the law changes (for example, to exclude this letter), that works
1. (but it's hard to pass such changes through congress)
4. If the letter is conditional on the law changing, that seems ok
My interpretation of this:
It seems probably possible to find a solution where signing this letter is legal, but we'd have to consult with an anti-trust lawyer.
[reminder that this isn't legal advice, isn't confident, is maybe misremembered, and so on]
1
OpenAI already have this in their charter:
1
Maybe a good fit for Machine Intelligence Research Institute (MIRI) to flesh out and publish?
9
Speaking in my personal capacity as research lead of TGT (and not on behalf of MIRI), I think work in this direction is potentially interesting. One difficulty with work like this are anti-trust laws, which I am not familiar with in detail but they serve to restrict industry coordination that restricts further development / competition. It might be worth looking into how exactly anti-trust laws apply to this situation, and if there are workable solutions. Organisations that might be well placed to carry out work like this might be the frontier model forum and affiliated groups, I also have some ideas we could discuss in person.
I also think there might be more legal leeway for work like this to be done if it's housed within organisations (government or ngos) that are officially tasked with defining industry standards or similar.
Opinions on whether it's positive/negative to build tools like Cursor / Codebuff / Replit?
I'm asking because it seems fun to build and like there's low hanging fruit to collect in building a competitor to these tools, but also I prefer not destroying the world.
Considerations I've heard:
- Reducing "scaffolding overhang" is good, specifically to notice if RSPs should trigger a more advanced RSP level
- (This depends on the details/quality of the RSP too)
- There are always reasons to advance capabilities, this isn't even a safety project (unless you count... elicitation?), our bar here should be high
- Such scaffolding won't add capabilities which might make the AI good at general purpose learning or long term general autonomy. It will be specific to programming, with concepts like "which functions did I look at already" and instructions on how to write high quality tests.
- Anthropic are encouraging people to build agent scaffolding, and Codebuff was created by a Manifold cofounder [if you haven't heard about it, see here and here]. I'm mainly confused about this, I'd expect both to not want people to advance capabilities (yeah, Anthropic want to stay in the lead and serve as an example, but this seems different). Maybe I'm just not in sync
5
I'm not confident but I am avoiding working on these tools because I think that "scaffolding overhang" in this field may well be most of the gap towards superintelligent autonomous agents.
If you imagine a o1-level entity with "perfect scaffolding", i.e. it can get any info on a computer into its context whenever it wants, and it can choose to invoke any computer functionality that a human could invoke, and it can store and retrieve knowledge for itself at will, and its training includes the use of those functionalities, it's not completely clear to me that it wouldn't already be able to do a slow self-improvement takeoff by itself, although the cost might be currently practically prohibitive.
I don't think building that scaffolding is a trivial task at all, though.
1
I think a simple bash tool running as admin could do most of these:
Regarding
I think this isn't a crux because the scaffolding I'd build wouldn't train the model. But as a secondary point, I think today's models can already use bash tools reasonably well.
This requires skill in ML R&D which I think is almost entirely not blocked by what I'd build, but I do think it might be reasonable to have my tool not work for ML R&D because of this concern. (would require it to be closed source and so on)
Thanks for raising concerns, I'm happy for more if you have them
2
Perhaps that's true, I haven't seen a lot of examples of them trying. I did see Buck's anecdote which was a good illustration of doing a simple task competently (finding the IP address of an unknown machine on the local network).
I don't work in AI so maybe I don't know what parts of R&D might be most difficult for current SOTA models. But based on the fact that large-scale LLMs are sort of a new field that hasn't had that much labor applied to it yet, I would have guessed that a model which could basically just do mundane stuff and read research papers, could spend a shitload of money and FLOPS to run a lot of obviously informative experiments that nobody else has properly run, and polish a bunch of stuff that nobody else has properly polished.
1
Your guesses on AI R&D are reasonable!
Apparently this has been tested extensively, for example:
https://x.com/METR_Evals/status/1860061711849652378
[disclaimers: I have some association with the org that ran that (I write some code for them) but I don't speak for them, opinions are my own]
Also, Anthropic have a trigger in their RSP which is somewhat similar to what you're describing, I'll quote part of it:
Also, in Dario's interview, he spoke about AI being applied to programming.
My point is - lots of people have their eyes on this, it seems not to be solved yet, it takes more than connecting an LLM to bash.
Still, I don't want to accelerate this.
3
I think it's net negative - increases the profitability of training better LLM's.
1
Thanks!
Opinions about putting in a clause like "you may not use this for ML engineering" (assuming it would work legally) (plus putting in naive technical measures to make the tool very bad for ML engineering) ?
2
Why downvote? you can tell me anonymously:
https://docs.google.com/forms/d/e/1FAIpQLSca6NOTbFMU9BBQBYHecUfjPsxhGbzzlFO5BNNR1AIXZjpvcw/viewform
For-profit startup idea: Better KYC for selling GPUs
I heard[1] that right now, if a company wants to sell/resell GPUs, they don't have a good way to verify that selling to some customer wouldn't violate export controls, and that this customer will (recursively) also keep the same agreement.
There are already tools for KYC in the financial industry. They seem to accomplish their intended policy goal pretty well (economic sanctions by the U.S aren't easy for nation states to bypass), and are profitable enough that many companies exist that give KYC services (Google "corporate kyc tool").
- ^
From an anonymous friend, I didn't verify this myself
Patching security problems in big old organizations involves problems that go a lot beyond "looking at code and changing it", especially if aiming for a "strong" solution like formal verification.
TL;DR: Political problems, code that makes no sense, problems that would be easy to fix even with a simple LLM that isn't specialized on improving security.
The best public resource I know is about this is Recoding America.
Some examples iirc:
- Not having a clear primary key to identify people with.
- Having a website (a form) that theoretically works but doesn't run on any browser that people actually use.
- Having a security component which is supposed to catch fake submissions of forms, but is way more likely to catch real submissions (it is imo net negative).
I also learned some surprising things from working on fixing/rewriting a major bank in Israel. I can't share such juicy stories as Recoding America publicly, but here are some that I can:
- "written in kobol" is maybe ~1% of the problem and imo not an interesting pain point to focus on
- Many systems are microservices (much harder to define the expected functionality of an async system)
- Different parts of the bank are written using diff
Some hard problems with anti tampering and their relevance for GPU off-switches
Background on GPU off switches:
It would be nice if a GPU could be limited[1] or shut down remotely by some central authority such as the U.S government[2] in case there’s some emergency[3].
This shortform is mostly replying to ideas like "we'll have a CPU in the H100[4] which will expect a signed authentication and refuse to run otherwise. And if someone will try to remove the CPU, the H100's anti-tampering mechanism will self-destruct (melt? explode?)".
TL;DR: Getting the self destruction mechanism right isn't really the hard part.
Some hard parts:
- Noticing if the self destruction mechanism should be used
- A (fun?) exercise could be suggesting ways to do this (like "let's put a wire through the box and if it's cut then we'll know someone broke in") and then thinking how you'd subvert those mechanisms. I mainly think doing this 3 times (if you haven't before) could be a fast way to get some of the intuition I'm trying to gesture at
- Maintenance
- If the H100s can never be opened after they're made, then any problem that would have required us to open them up might mean throwin
3
Anti Tempering in a data center you control provides very different tradeoffs
I'll paint a picture for how this could naively look:
We put the GPUs in something equivalent to a military base. Someone can still break in, steal the GPU, and break the anti tempering, but (I'm assuming) using those GPUs usefully would take months, and meanwhile (for example), a war could start.
How do the tradeoffs change? What creative things could we do with our new assumptions?
1. Tradeoffs we don't really care about anymore:
1. We don't need the anti tampering to reliably work (it's nice if it works, but it now becomes "defense in depth")
2. Slowing down the attacker is already very nice
3. Our box can be maintainable
4. We don't have to find all bugs in advance
5. ...
2. "Noticing the breach" becomes an important assumption
1. Does our data center have cameras? What if they are hacked? And so on
1. (An intuition I hope to share: This problem is much easier than "preventing the breach")
2. It doesn't have to be in "our" data center. It could be in a "shared" data center that many parties monitor.
3. Any other creative solution to notice breaches might work
4. How about spot inspections to check if the box was tampered with?
1. "preventing a nation state from opening a big and closing it without any visible change, given they can do whatever they want with the box, and given the design is open source" seems maybe very hard, or maybe a solved problem.
3. "If a breach is noticed then something serious happens" becomes an important assumption
1. Are the stakeholders on board?
Things that make me happy here:
1. Less hard assumptions to make
2. Less difficult tradeoffs to balance
3. The entire project requires less world class cutting edge engineering.
2
I used to assume disabling a GPU in my physical possession would be impossible, but now I'm not so sure. There might be ways to make bypassing GPU lockouts on the order of difficulty of manufacturing the GPU (requiring nanoscale silicon surgery). Here's an example scheme:
Nvidia changes their business models from selling GPUs to renting them. The GPU is free, but to use your GPU you must buy Nvidia Dollars from Nvidia. Your GPU will periodically call Nvidia headquarters and get an authorization code to do 10^15 more floating point operations. This rental model is actually kinda nice for the AI companies, who are much more capital constrained than Nvidia. (Lots of industries have moved from this buy to rent model, e.g. airplane engines)
Question: "But I'm an engineer. How (the hell) could Nvidia keep me from hacking a GPU in my physical possession to bypass that Nvidia dollar rental bullshit?"
Answer: through public key cryptography and the fact that semiconductor parts are very small and modifying them is hard.
In dozens to hundreds or thousands of places on the GPU, NVidia places toll units that block signal lines (like ones that pipe floating point numbers around) unless the toll units believe they have been paid with enough Nvidia dollars.
The toll units have within them a random number generator, a public key ROM unique to that toll unit, a 128 bit register for a secret challenge word, elliptic curve cryptography circuitry, and a $$$ counter which decrements every time the clock or signal line changes.
If the $ $ $ counter is positive, the toll unit is happy and will let signals through unabated. But if the $ $ $ counter reaches zero,[1] the toll unit is unhappy and will block those signals.
To add to the $$$ counter, the toll unit (1) generates a random secret <challenge word>, (2) encrypts the secret using that toll unit's public key (3) sends <encrypted secret challenge word> to a non-secure parts of the GPU,[2] which (4) through driver softwar
2
I love the direction you're going with this business idea (and with giving Nvidia a business incentive to make "authentication" that is actually hard to subvert)!
I can imagine reasons they might not like this idea, but who knows. If I can easily suggest this to someone from Nvidia (instead of speculating myself), I'll try
I'll respond to the technical part in a separate comment because I might want to link to it >>
2
The interesting/challenging technical parts seem to me:
1. Putting the logic that turns off the GPU (what you called "the toll unit") in the same chip as the GPU and not in a separate chip
2. Bonus: Instead of writing the entire logic (challenge response and so on) in advance, I think it would be better to run actual code, but only if it's signed (for example, by Nvidia), in which case they can send software updates with new creative limitations, and we don't need to consider all our ideas (limit bandwidth? limit gps location?) in advance.
Things that seem obviously solvable (not like the hard part) :
3. The cryptography
4. Turning off a GPU somehow (I assume there's no need to spread many toll units, but I'm far from a GPU expert so I'd defer to you if you are)
4
Thanks! I'm not a GPU expert either. The reason I want to spread the toll units inside GPU itself isn't to turn the GPU off -- it's to stop replay attacks. If the toll thing is in a separate chip, then the toll unit must have some way to tell the GPU "GPU, you are cleared to run". To hack the GPU, you just copy that "cleared to run" signal and send it to the GPU. The same "cleared to run" signal must always make the GPU work, unless there is something inside the GPU to make sure won't accept the same "cleared to run" signal twice. That the point of the mechanism I outline -- a way to make it so the same "cleared to run" signal for the GPU won't work twice.
Hmm okay, but why do I let Nvidia send me new restrictive software updates? Why don't I run my GPUs in an underground bunker, using the old most broken firmware?
4
Oh yes the toll unit needs to be inside the GPU chip imo.
Alternatively the key could be in the central authority that is supposed to control the off switch. (same tech tho)
Nvidia (or whoever signs authorization for your GPU to run) won't sign it for you if you don't update the software (and send them a proof you did it using similar methods, I can elaborate).
Things I'd suggest to an AI lab CISO if we had 5 minutes to talk
1 minute version:
- I think there are projects that can prepare the lab for moving to an air gapped network (protecting more than model weights) which would be useful to start early, would have minimal impact on developer productivity, and could be (to some extent) delegated[1]
Extra 4 minutes:
Example categories of such projects:
- Projects that take serial time but can be done without the final stage that actually hurts developer productivity
- Toy example: Add extra ethernet cables to the building but don't use them yet
- Reduce uncertainty about the problems that will be caused by a future security measure
- Toy example: Prepare for a (partially?) air gapped network by monitoring (with consent[2]) which domains employees use and finding alternatives to them, e.g:
- Wikipedia --> Download it
- Social media --> Buy some employees a personal use computer, see if they like it?
- ... each domain becomes a project to prioritize and delegate, hopefully
- Toy example: Prepare for a (partially?) air gapped network by monitoring (with consent[2]) which domains employees use and finding alternatives to them, e.g:
- Projects that require "product market fit" with the engineers
I'm looking for an AI tool which feels like Google Docs but has an LLM proactively commenting/suggesting things.
(Is anyone else interested in something like this?)
4
The nearest thing I can think of off the top of my head is the Pantheon interface. Probably more unconventional than what you had in mind, though.
1
1. This is very cool, thanks!
1. I'm tempted to add Claude support
2. It isn't exactly what I'm going for. Example use cases I have in mind:
1. "Here's a list of projects I'm considering working on, and I'm adding curxes/considerations for each"
2. "Here's my new alignment research agenda" (can an AI suggest places where this research is wrong? Seems like checking this would help the Control agenda?)
3. "Here's a cost-effectiveness analysis of an org"
2
Seems like just pasting into the chat context / adding as attachments the relevant info on the default Claude web interface would work fine for those use cases.
1
I want the tool to proactively suggest things while working on the document, optimizing for "low friction for getting lots of comments from the LLM". The tool you suggested does optimize for this property very well
2
I see. Friction management / affordance landscaping is indeed very important for interface UX design.
1
I met someone in SF doing this but cannot remember the name of the company! If I remember I'll let you know
One idea I thought would be cool related to this is to have several LLMs with different 'personalities' each giving different kinds of feedback. Eg. a 'critic', an 'aesthete', a 'layperson', so just like in Google Docs where you get comments from different people, here you can get inline feedback from different kinds of readers
2
The Pantheon interface features comments by different LLM personas.
"Protecting model weights" is aiming too low, I'd like labs to protect their intellectual property too. Against state actors. This probably means doing engineering work inside an air gapped network, yes.
I feel it's outside the Overton Window to even suggest this and I'm not sure what to do about that except write a lesswrong shortform I guess.
Anyway, common pushbacks:
- "Employees move between companies and we can't prevent them sharing what they know": In the IDF we had secrets in our air gapped network which people didn't share because they understood
8
The case against a focus on algorithmic secret security is that this will emphasize and excuse a lower level of transparency which is potentially pretty bad.
Edit: to be clear, I'm uncertain about the overall bottom line.
3
Ah, interesting
Still, even if some parts of the architecture are public, it seems good to keep many details private, details that took the lab months/years to figure out? Seems like a nice moat
5
Yes, ideally, but it might be hard to have a relatively more nuanced message. Like in the ideal world an AI company would have algorithmic secret security, disclose things that passed cost-benefit for disclosure, and generally do good stuff on transparancy.
3
I don't think this is too nuanced for a lab that understands the importance of security here and wants a good plan (?)
1[comment deleted]
3
Some hands-on experience with software development without an internet connection, from @niplav , which seems somewhat relevant :
https://www.lesswrong.com/posts/jJ9Hx8ETz5gWGtypf/how-do-you-deal-w-super-stimuli?commentId=3KnBTp6wGYRfgzyF2
3
I think that as AI tools become more useful, working in an air gapped network is going to require a larger compromise in productivity. Maybe AI labs are the exception here as they can deploy their own products in the air gapped network, but that depends on how much of the productivity gains they can replicate using their own products. i.e. an Anthropic employee might not be able to use Cursor unless Anthropic signs a deal with Cursor to deploy it inside the network. Now do this with 10 more products, this requires infrastructure and compute that might be just too much of a hassle for the company.
4
Yeah it will compromise productivity.
I hope we can make the compromise not too painful. Especially if we start early and address all the problems that will come up before we're in the critical period where we can't afford to mess up anymore.
I also think it's worth it
1
More on starting early:
Imagine a lab starts working in an air gapped network, and one of the 1000 problems that comes up is working-from-home.
If that problem comes up now (early), then we can say "okay, working from home is allowed", and we'll add that problem to the queue of things that we'll prioritize and solve. We can also experiment with it: Maybe we can open another secure office closer to the employee's house, would they like that? If so, we could discuss fancy ways to secure the communication between the offices. If not, we can try something else.
If that problem comes up when security is critical (if we wait), then the solution will be "no more working from home, period". The security staff will be too overloaded with other problems to solve, not available to experiment with having another office nor to sign a deal with Cursor.
Ryan and Buck wrote:
> The control approach we're imagining won't work for arbitrarily powerful AIs
Okay, so if AI Control works well, how do we plan to use our controlled AI to reach a safe/aligned ASI?
Different people have different opinions. I think it would be good to have a public plan so that people can notice if they disagree and comment if they see problems.
Opinions I’ve heard so far:
- Solve ELK / mechanistic anomaly detection / something else that ARC suggested
- Let the AI come up with alignment plans such as ELK that would be
8
I think if you have "minimally viable product", you can speed up davidad's Safeguarded AI and use it to improve interpretability.
5
I think all 7 of those plans are far short of adequate to count as a real plan. There are a lot of more serious plans out there, but I don't know where they're nicely summarized.
What’s the short timeline plan? poses this question but also focuses on control, testing, and regulation - almost skipping over alignment.
Paul Christiano's and Rohin Shah's work are the two most serious. Neither of them have published a "this is the plan" concise statement, and both have probably substantially updated their plans.
These are the standard-bearers for "prosaic alignment" as a real path to alignment of AGI and ASI. There is tons of work on aligning LLMs, but very little work AFAICT on how and whether that extends to AGIs based on LLMs. That's why Paul and Rohin are the standard bearers despite not working publicly directly on this for a few years.
I work primaily on this, since I think it's the most underserved area of AGI x-risk - aligning the type of AGI people are most likely to build on the current path.
My plan can perhaps be described as extending prosaic alignment to LLM agents with new techniques, and from there to real AGI. A key strategy is using instruction-following as the alignment target. It is currently probably best summarized in my response to "what's the short timeline plan?"
5
Improved governance design. Designing treaties that are easier sells for competitors. Using improved coordination to enter win-win races to the top, and to escape lose-lose races to the bottom and other inadequate equilibria.
Lowering the costs of enforcement. For example, creating privacy-preserving inspections with verified AI inspectors which report on only a strict limited set of pre-agreed things and then are deleted.
Phishing emails might have bad text on purpose, so that security-aware people won't click through, because the next stage often involves speaking to a human scammer who prefers only speaking to people[1] who have no idea how to avoid scams.
(did you ever wonder why the generic phishing SMS you got was so bad? Couldn't they proof read their one SMS? Well, sometimes they can't, but sometimes it's probably on purpose)
This tradeoff could change if AIs could automate the stage of "speaking to a human scammer".
But also, if that stage isn't automated, then I'...
Off switch / flexheg / anti tampering:
Putting the "verifier" on the same chip as the GPU seems like an approach worth exploring as an alternative to anti-tampering (which seems hard)
I heard[1] that changing the logic running on a chip (such as subverting an off-switch mechanism) without breaking the chip seems potentially hard[2] even for a nation state.
If this is correct (or can be made correct?) then this seems much more promising than having a separate verifier-chip and gpu-chip with anti tampering preventing them from being separated (which s...
3
Chips have 15+ metal interconnect layers, so if verification is placed sufficiently all over the place physically, it probably can't be circumvented. I'm guessing a more challenging problem is replay attacks, where the chip needs some sort of persistent internal clocks or counters that can't be reset to start in order to repeatedly reuse old (but legitimate) certificates that enabled some computations at some point in the past.
1
Thanks! Could you say more about your confidence in this?
Yes, specifically I don't want an attacker to reliably be able to reset it to whatever value it had when it sent the last challenge.
If the attacker can only reset this memory to 0 (for example, by unplugging it) - then the chip can notice that's suspicious.
Another option is a reliable wall clock (though this seems less promising).
I think @jamesian told me about a reliable clock (in the sense of the clock signal used by chips, not a wall clock), I'll ask
2
Training frontier models needs a lot of chips, situations where "a chip notices something" (and any self-destruct type things) are unimportant because you can test on fewer chips and do it differently next time. Complicated ways of circumventing verification or resetting clocks are not useful if they are too artisan, they need to be applied to chips in bulk and those chips then need to be able to work for weeks in a datacenter without further interventions (that can't be made into part of the datacenter).
AI accelerator chips have 80B+ transistors, much more than an instance of certificate verification circuitry would need, so you can place multiple of them (and have them regularly recheck the certificates). There are EUV pitch metal connections several layers deep within a chip, you'd need to modify many of them all over the chip without damaging the layers above, so I expect this to be completely infeasible to do for 10K+ chips on general principle (rather than specific knowledge of how any of this works).
For clocks or counters, I guess AI accelerators normally don't have any rewritable persistent memory at all, and I don't know how hard it would be to add some in a way that makes it too complicated to keep resetting automatically.
2
My guess is that AI accelerators will have some difficult-to-modify persistent memory based on similar chips having it, but I'm not sure if it would be on the same die or not. I wrote more about how a firmware-based implementation of Offline Licensing might use H100 secure memory, clocks, and secure boot here: https://arxiv.org/abs/2404.18308
2
Changing the logic of chips is possible:
https://www.nanoscopeservices.co.uk/fib-circuit-edit/
h/t @Jonathan_H from TemperSec
Open question: How expensive is this, and specifically can this be done in scale for the chips of an entire data center?
For profit AI Security startup idea:
TL;DR: A laptop that is just a remote desktop ( + why this didn't work before and how to fix that)
Why this is nice for AI Security:
- Reduces the amount of GPUs that will be sent to customers
- Somewhat better security for this laptop since it's a bit more like defending a cloud computer. Maybe labs would use this to make the employee computers more secure?
Network spikes: A reason this didn't work before and how to solve it
The problem: Sometimes the network will be slow for a few seconds. It's really annoying if th...
2
I think this gets a lot easier if you drop the idea of a 'full remote computer' and instead embrace the idea of just the key data points move.
More like the remote VS Code server or Jupyter Notebook server, being accessed from a Chromebook. All work files would stay saved there, all experiments run from the server (probably by being sent as tasks to yet a third machine.)
Locally, you couldn't save any files, but you could do (for instance) web browsing. The web browsing could be made extra secure in some way.
3
I agree that we won't need full video streaming, it could be compressed (most of the screen doesn't change most of the time), but I gave that as an upper bound.
If you still run local computation, you lose out on some of the advantages I mentioned.
(If remote vscode is enough for someone, I definitely won't be pushing back)
Posts I want to write (most of them already have drafts) :
(how do I prioritize? do you want to user-test any of them?)
- Hiring posts
- For lesswrong
- For Metaculus
- Startups
- Do you want to start an EA software startup? A few things to probably avoid [I hate writing generic advice like this but it seems to be a reoccurring question]
- Announce "EA CTOs" plus maybe a few similar peer groups
- Against generic advice - why I'm so strongly against questions like "what should I know if I want to start a startup" [this will be really hard to write but is really close to my heart
2
How to decide when to move on from a job.
I think Control has similar problems to RLHF, where both might fail to generalize out of distribution in similar ways.
This seems important because Control has a central goal of being a fallback for that kind of failure mode.
I want to share my thoughts, including something nice Control does about this problem that I think RLHF could easily incorporate (investigate failures instead of always training against them).
What do I mean by Control generalizing out of distribution:
Our Control experiment might involve giving a model 100 leetcode problems, ...
Dario said (Nov 2024):
"I never liked those words [P(DOOM)], I think they're kinda wired, my view is we should measure risks as they come up, and in the meantime we should get all the economic benefits that we could get. And we should find ways to measure the risks that are effective, but are minimally disruptive to the amazing economic process that we see going on now that the last thing we want to do is slow down" [lightly edited for clarity, bold is mine]
If he doesn't believe this[1], I think he should clarify.
Hopefully cold take: People should say what ...
My drafty[1] notes trying to understand AI Control, friendly corrections are welcome:
“Control” is separate from “Alignment”: In Alignment, you try to get the model to have your values. “Control” assumes[2] the alignment efforts failed, and that the model is sometimes helping out (as it was trained to do), but it wants something else, and it might try to “betray” you at any moment (aka scheme).
The high level goal is to still get useful work out of this AI.
[what to do with this work? below]
In scope: AIs that could potentially cause seri...
Is this an AGI risk?
A company that makes CPUs that run very quickly but don't do matrix multiplication or other things that are important for neural networks.
Context: I know people who work there
2
Perhaps, but I'd guess only in a rather indirect way. If there's some manufacturing process that the company invests in improving in order to make their chips, and that manufacturing process happens to be useful for matrix multiplication, then yes, that could contribute.
But it's worth noting how many things would be considered AGI risks by such a standard; basically the entire supply chain for computers, and anyone who works for or with top labs; the landlords that rent office space to DeepMind, the city workers that keep the lights on and the water running for such orgs (and their suppliers), etc.
I wouldn't worry your friends too much about it unless they are contributing very directly to something that has a clear path to improving AI.
2
Thanks
May I ask why you think AGI won't contain an important computationally-constrained component which is not a neural network?
Is it because right now neural networks seem to be the most useful thing? (This does not feel reassuring, but I'd be happy for help making sense of it)
2
Metaculus has a question about whether the first AGI will be based on deep learning. The crowd estimate right now is at 85%.
I interpret that to mean that improvements to neural networks (particulary on the hardware side) are most likely to drive progress towards AGI.
Curated and popular this week
Speaking in my personal capacity as research lead of TGT (and not on behalf of MIRI), I think work in this direction is potentially interesting. One difficulty with work like this are anti-trust laws, which I am not familiar with in detail but they serve to restrict industry coordination that restricts further development / competition. It might be worth looking into how exactly anti-trust laws apply to this situation, and if there are workable solutions. Organisations that might be well placed to carry out work like this might be the frontier model forum and affiliated groups, I also have some ideas we could discuss in person.
I also think there might be more legal leeway for work like this to be done if it's housed within organisations (government or ngos) that are officially tasked with defining industry standards or similar.